The Act gives rights to individuals in respect of personal data held about them by others. The rights are:
We shall look in detail only at subject access rights.
Any individual may make a (written) request to the data controller for details of what information is held about himself or herself. A standard fee is payable, but an individual is then entitled:
A data controller must comply with a subject access request within forty days of receipt of the request. If the controller needs to confirm the identity of the person making the request, a response must be issued within forty days of receipt of that confirmation.
The information given in response to a subject access request should be all that which is contained in the personal data at the time the request was received. However, routine amendments and deletions of the data may continue between the date of the request and the date of the reply. Hence the information revealed to the data subject may differ from the data which were held at the time the request was received, even to the extent that data are no longer held. However, the data controller must not tamper with the information just to make it acceptable to the data subject.
A particular problem arises for data controllers who may find that in complying with a subject access request they will disclose information relating to an individual other than the data subject who can be identified from that information. The Act recognises this problem and sets out only two circumstances in which the data controller is obliged to comply with the subject access request in such circumstances, namely:
If a data subject believes that a data controller has failed to comply with a subject access request in contravention of the Act, they may apply to Court for an order that the data controller complies with the request. An order will be made if the Court is satisfied that the data controller has failed to comply with the request in contravention of the Act.
The data subject may take out an injunction under Section 9 to prevent the data controller from processing or even collecting personal data. This can be done where processing is likely to cause substantial damage or distress which is unwarranted.
An individual who suffers damage due to contravention by a data controller can seek compensation under Section 11.
What you read here is only a summary to introduce the concepts. You should not rely on it to build a legal case or safeguard your legal position. The University of Glamorgan and its employees cannot be held responsible for any legal or other redress due to errors in the notes. Seek professional legal advice before acting on what you read here.
|Other topics||Comments please to: firstname.lastname@example.org||© 1999, University of Glamorgan|